During a malware investigation, an analyst discovers a suspicious file with a hash value that matches known malware. However, the file fails to execute and does not exhibit any malicious behavior in a sandbox. What is the most likely reason for this discrepancy?
Trap 1: The file is a false positive and is actually benign
A false positive would imply the hash does not match known malware; here it does match.
Trap 2: The sandbox is not updated with the latest signatures
Hash matching is independent of signatures; the sandbox would still see the file as malicious based on hash.
Trap 3: The file's metadata has been modified to evade analysis
Modifying metadata would change the file hash, so the hash would not match known malware.
- A
The file is a false positive and is actually benign
Why wrong: A false positive would imply the hash does not match known malware; here it does match.
- B
The sandbox is not updated with the latest signatures
Why wrong: Hash matching is independent of signatures; the sandbox would still see the file as malicious based on hash.
- C
The file's metadata has been modified to evade analysis
Why wrong: Modifying metadata would change the file hash, so the hash would not match known malware.
- D
The file is packed or obfuscated to prevent execution in a sandbox
Packing can prevent execution until unpacked, causing the sandbox to not observe malicious behavior.